diff options
author | Alex Auvolat <alex@adnab.me> | 2023-05-09 12:20:35 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2023-05-09 12:20:35 +0200 |
commit | 24cf7ddd91e4b726d2ed276787947e104e26b53b (patch) | |
tree | aeeec287fa80593ec83f0022d246a7defbf72c92 | |
parent | 6c07a429781d4a26a546e3f3049b41e0b968b033 (diff) | |
parent | 24192cc61a982402e201d6dde4fa5ac2994e025f (diff) | |
download | nixcfg-24cf7ddd91e4b726d2ed276787947e104e26b53b.tar.gz nixcfg-24cf7ddd91e4b726d2ed276787947e104e26b53b.zip |
Merge branch 'main' into simplify-network-config
-rw-r--r-- | cluster/prod/app/backup/deploy/backup-weekly.hcl | 4 | ||||
-rw-r--r-- | cluster/prod/app/email/config/sogo/sogo.conf.tpl | 14 | ||||
-rw-r--r-- | cluster/prod/app/matrix/config/synapse/homeserver.yaml | 2 | ||||
-rw-r--r-- | cluster/prod/app/matrix/deploy/im.hcl | 18 | ||||
-rw-r--r-- | cluster/prod/app/plume/config/app.env | 2 | ||||
-rw-r--r-- | cluster/prod/app/postgres/deploy/postgres.hcl | 20 | ||||
-rw-r--r-- | cluster/prod/app/telemetry/deploy/telemetry-service.hcl | 2 | ||||
-rw-r--r-- | cluster/prod/app/telemetry/deploy/telemetry-storage.hcl | 2 | ||||
-rw-r--r-- | cluster/prod/app/telemetry/deploy/telemetry-system.hcl | 2 | ||||
-rw-r--r-- | nix/deuxfleurs.nix | 4 |
10 files changed, 41 insertions, 29 deletions
diff --git a/cluster/prod/app/backup/deploy/backup-weekly.hcl b/cluster/prod/app/backup/deploy/backup-weekly.hcl index 36a507a..6a00507 100644 --- a/cluster/prod/app/backup/deploy/backup-weekly.hcl +++ b/cluster/prod/app/backup/deploy/backup-weekly.hcl @@ -1,5 +1,5 @@ job "backup_weekly" { - datacenters = ["orion"] + datacenters = ["orion", "neptune", "bespin"] type = "batch" priority = "60" @@ -30,7 +30,7 @@ AWS_ENDPOINT=s3.deuxfleurs.shirokumo.net AWS_ACCESS_KEY_ID={{ key "secrets/postgres/backup/aws_access_key_id" }} AWS_SECRET_ACCESS_KEY={{ key "secrets/postgres/backup/aws_secret_access_key" }} CRYPT_PUBLIC_KEY={{ key "secrets/postgres/backup/crypt_public_key" }} -PSQL_HOST=psql-proxy.service.prod.consul +PSQL_HOST={{ env "meta.site" }}.psql-proxy.service.prod.consul PSQL_USER={{ key "secrets/postgres/keeper/pg_repl_username" }} PGPASSWORD={{ key "secrets/postgres/keeper/pg_repl_pwd" }} EOH diff --git a/cluster/prod/app/email/config/sogo/sogo.conf.tpl b/cluster/prod/app/email/config/sogo/sogo.conf.tpl index d6094bf..bb87f14 100644 --- a/cluster/prod/app/email/config/sogo/sogo.conf.tpl +++ b/cluster/prod/app/email/config/sogo/sogo.conf.tpl @@ -3,13 +3,13 @@ WOWorkersCount = 3; SxVMemLimit = 300; WOPort = "127.0.0.1:20000"; - SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile"; - OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_sessions_folder"; - OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_alarms_folder"; - OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_store"; - OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_acl"; - OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@psql-proxy.service.prod.consul:5432/sogo/sogo_cache_folder"; + SOGoProfileURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_sessions_folder"; + OCSEMailAlarmsFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_alarms_folder"; + OCSStoreURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_store"; + OCSAclURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_acl"; + OCSCacheFolderURL = "postgresql://{{ key "secrets/email/sogo/postgre_auth" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/sogo/sogo_cache_folder"; SOGoTimeZone = "Europe/Paris"; SOGoMailDomain = "deuxfleurs.fr"; SOGoLanguage = French; diff --git a/cluster/prod/app/matrix/config/synapse/homeserver.yaml b/cluster/prod/app/matrix/config/synapse/homeserver.yaml index aac8709..ecdf1cd 100644 --- a/cluster/prod/app/matrix/config/synapse/homeserver.yaml +++ b/cluster/prod/app/matrix/config/synapse/homeserver.yaml @@ -61,7 +61,7 @@ database: user: {{ key "secrets/chat/synapse/postgres_user" | trimSpace }} password: {{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} database: {{ key "secrets/chat/synapse/postgres_db" | trimSpace }} - host: psql-proxy.service.prod.consul + host: {{ env "meta.site" }}.psql-proxy.service.prod.consul port: 5432 cp_min: 5 cp_max: 10 diff --git a/cluster/prod/app/matrix/deploy/im.hcl b/cluster/prod/app/matrix/deploy/im.hcl index ed05ffc..324c3d9 100644 --- a/cluster/prod/app/matrix/deploy/im.hcl +++ b/cluster/prod/app/matrix/deploy/im.hcl @@ -1,5 +1,5 @@ job "matrix" { - datacenters = ["orion"] + datacenters = ["orion", "neptune"] type = "service" priority = 40 @@ -8,6 +8,7 @@ job "matrix" { network { port "api_port" { static = 8008 } + port "web_port" { to = 8043 } } task "synapse" { @@ -79,6 +80,7 @@ job "matrix" { "tricot im.deuxfleurs.fr:443/_matrix 100", "tricot im.deuxfleurs.fr/_synapse 100", "tricot-add-header Access-Control-Allow-Origin *", + "d53-cname im.deuxfleurs.fr", ] check { type = "tcp" @@ -123,24 +125,15 @@ AWS_DEFAULT_REGION=garage PG_USER={{ key "secrets/chat/synapse/postgres_user" | trimSpace }} PG_PASS={{ key "secrets/chat/synapse/postgres_pwd" | trimSpace }} PG_DB={{ key "secrets/chat/synapse/postgres_db" | trimSpace }} -PG_HOST=psql-proxy.service.2.cluster.deuxfleurs.fr +PG_HOST={{ env "meta.site" }}.psql-proxy.service.2.cluster.deuxfleurs.fr PG_PORT=5432 EOH destination = "secrets/env" env = true } } - } - - - group "riotweb" { - count = 1 - - network { - port "web_port" { to = 8043 } - } - task "server" { + task "riotweb" { driver = "docker" config { image = "superboum/amd64_riotweb:v33" @@ -164,6 +157,7 @@ EOH "webstatic", "tricot im.deuxfleurs.fr 10", "tricot riot.deuxfleurs.fr 10", + "d53-cname riot.deuxfleurs.fr", ] port = "web_port" address_mode = "host" diff --git a/cluster/prod/app/plume/config/app.env b/cluster/prod/app/plume/config/app.env index 5c9ede6..b751bd6 100644 --- a/cluster/prod/app/plume/config/app.env +++ b/cluster/prod/app/plume/config/app.env @@ -12,7 +12,7 @@ ROCKET_SECRET_KEY={{ key "secrets/plume/secret_key" | trimSpace }} POSTGRES_PASSWORD={{ key "secrets/plume/pgsql_pw" | trimSpace }} POSTGRES_USER=plume POSTGRES_DB=plume -DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@psql-proxy.service.prod.consul:5432/plume +DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/plume MIGRATION_DIRECTORY=migrations/postgres USE_HTTPS=0 diff --git a/cluster/prod/app/postgres/deploy/postgres.hcl b/cluster/prod/app/postgres/deploy/postgres.hcl index 9bad079..e8825a1 100644 --- a/cluster/prod/app/postgres/deploy/postgres.hcl +++ b/cluster/prod/app/postgres/deploy/postgres.hcl @@ -1,5 +1,5 @@ job "postgres14" { - datacenters = ["orion"] + datacenters = ["orion", "neptune", "bespin"] type = "system" priority = 90 @@ -16,6 +16,20 @@ job "postgres14" { port "psql_port" { static = 5433 } } + constraint { + attribute = "${attr.unique.hostname}" + operator = "set_contains_any" + # target: courgette,df-ymf,abricot (or ananas) + value = "diplotaxis,courgette,concombre,df-ymf" + } + + restart { + interval = "10m" + attempts = 10 + delay = "15s" + mode = "delay" + } + task "sentinel" { driver = "docker" @@ -99,7 +113,7 @@ job "postgres14" { } service { - tags = ["sql"] + tags = ["sql", "${meta.site}"] port = "psql_proxy_port" address_mode = "host" name = "psql-proxy" @@ -179,7 +193,7 @@ job "postgres14" { } service { - tags = ["sql"] + tags = ["sql", "${meta.site}"] port = "psql_port" address_mode = "host" name = "psql-keeper" diff --git a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl index afa8a8d..9ec43ae 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-service.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-service.hcl @@ -45,7 +45,7 @@ job "telemetry-service" { task "grafana" { driver = "docker" config { - image = "grafana/grafana:9.3.2" + image = "grafana/grafana:9.5.1" network_mode = "host" ports = [ "grafana" ] volumes = [ diff --git a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl index d4667fa..b012e3f 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-storage.hcl @@ -20,7 +20,7 @@ job "telemetry-storage" { task "prometheus" { driver = "docker" config { - image = "prom/prometheus:v2.41.0" + image = "prom/prometheus:v2.43.1" network_mode = "host" ports = [ "prometheus" ] args = [ diff --git a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl index ae9ff72..a861c61 100644 --- a/cluster/prod/app/telemetry/deploy/telemetry-system.hcl +++ b/cluster/prod/app/telemetry/deploy/telemetry-system.hcl @@ -12,7 +12,7 @@ job "telemetry-system" { driver = "docker" config { - image = "quay.io/prometheus/node-exporter:v1.4.0" + image = "quay.io/prometheus/node-exporter:v1.5.0" network_mode = "host" volumes = [ "/:/host:ro,rslave" diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix index 9ef2b2a..664b949 100644 --- a/nix/deuxfleurs.nix +++ b/nix/deuxfleurs.nix @@ -218,6 +218,10 @@ in domain-insecure = [ "consul." ]; local-zone = [ "consul. nodefault" ]; log-servfail = true; + verbosity = 1; + log-queries = true; + use-syslog = false; + logfile = "/dev/stdout"; access-control = [ "127.0.0.0/8 allow" "172.17.0.0/16 allow" |